Software management
            Software management would include whatever applications the entity used in its accounting information
            system, whether it is COTS or custom software, or some hybrid.

            For COTS, policies and procedures should be established to make sure that software is purchased from
            reliable vendors. Criteria should be developed that would make an effective determination of a reliable
            software vendor. The P&P should also include guidance on keeping the software up to date with version
            changes. It also should cover software maintenance, which usually includes version updates as well as
            help desk support.

            For custom software, it should lay out procedures that would ensure that risks of errors and fraud in
            development and deployment are mitigated. Special attention should be given to complete testing offline
            before deployment. It also is beneficial to stipulate compliance with best practices that can mitigate
            programming risks, for example, the software development life cycle (SDLC).


            The P&P should include pseudo software such as macros in end-user systems (for example, electronic
            spreadsheets or databases), and formulas (electronic spreadsheets). The issues are basically the same
            as custom software: development, testing, and deployment practices that would mitigate the risks
            associated with end-user computing.

            The COBIT process AI2, acquire and maintain application, should be a beneficial source for objectives in
            this area for developing P&P.


            Operating system management
            The operating system (O/S) plays a key role in computer operations because applications run within an
            O/S environment, and the fact that O/S need updating due to vulnerabilities from time to time. Also, a
            user with administrative rights to the O/S has direct access to IT assets, which, if present, represents a
            relatively high inherent risk. Thus P&P would include issues and objectives similar to software (version
            control, updates, development control, testing before deployment, and so on) but also includes logical
            access control. It would also address settings and parameters of the O/S and patches.

            ISACA’s ITAF, segment 3630.14, covers Operating Systems Management and Controls, and should be a
                                                                                               21
            beneficial source for objectives and issues in this area for developing appropriate P&P.

            Network management
            The network is another critical piece of the infrastructure supporting financial applications and data.
            Developing network P&P would typically include internal and external networks, outsourcing, level of
            operating performance (for example availability), access controls (especially password policy), and security.

            ISACA’s ITAF, segment 3630.11, covers Network Management and Controls, and should be a beneficial
                                                                                     22
            source for objectives and issues in this area for developing appropriate P&P.

            21
              From Singleton, Tommie. Complete Guide to the CITP Body of Knowledge. Durham, NC: AICPA, 2011.
            22
              From Singleton, Tommie. Complete Guide to the CITP Body of Knowledge. Durham, NC: AICPA, 2011.

            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-35